Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. CORS for App Proxy

    There should be CORS setting available on App Proxy just like we have the CORS available for App Services.

    Making calls from Azure Apps into an Azure App Proxy App is a very common scenario, especially when on-prem applications are surfaced externally using App proxy.

    More details - http://stackoverflow.com/questions/43955808/cors-prelight-issue

    194 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    22 comments  ·  Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →

    We are looking at enabling a feature that focuses on supporting CORS preflight requests between two applications. This works by allowing you to configure the response and have App Proxy handle it on behalf of the app.

    A pre-requisite for this feature to work is that the user must be able to authenticate into the second application in order to avoid a CORS issue from the login flow into the second app.
    To avoid this the user will have to make sure they have already accessed the 2nd application before the CORS request, and has valid credentials. This should work for wildcard apps and can also be achieved by adding a fake link / image to the 2nd application in the first application.

    We would love to get your feedback on this requirement and if this is something that will fit your use case.

  2. Make SPN (non-interactive) login events logged and available

    Currently in Azure AD when using SPN (non-interactive) logins via code (.Net, Powershell, etc.) for automated processes (server to server communication/API) that interact with Azure, there is no event in Azure AD logs to show that this login has occurred. Please make this exposed in the logs in the same fashion that an interactive user login is logged. This is not only beneficial for troubleshooting, but more importantly from a security, compliance, and risk audit trail standpoint.

    193 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    27 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Azure AD Team responded

    We are working on this but we don’t have a public ETA to share at this time. We will keep you updated as we get closer.

  3. Get 'low license count' notification

    It would be beneficial to get a notification when license count gets to x number. We are syncing our users with DirSync and apply licenses based on group membership. When users get synced and we have no licenses, I have zero idea until someone comes to me that they cannot get logged in to O365.

    191 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    20 comments  ·  Licensing  ·  Flag idea as inappropriate…  ·  Admin →
  4. Password expiry notification for Azure AD joined devices?

    It would be great if a Password Expiry notification could be implement for full Windows 10 Azure AD-joined clients in the same way as the domain joined clients receive them. A notification that pops up at bottom-right corner of the screen. At the moment I wasn't able to find any way of enabling that.
    We use Azure Directory Sync - no ADFS.

    189 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    29 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
  5. Go Direct to Password Reset from Sign-In/Sign-Up

    The Sign-in only policy allows the user to go directly to the password reset.

    The Sign-in/Sign-Up does not allow this. The user gets redirected back and you have to handle AADB2C90118.

    Reference: https://stackoverflow.com/questions/41497158/azure-ad-b2c-self-service-password-reset-link-doesnt-work

    While this flow is useful for some people the opposite is also true. Please allow me to specify the password reset policy in my sign-in/sign-up policy so the round trip is not required if I don't want it.

    187 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    48 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  6. Show the Country and App/OS that triggered the MFA request via Authenticator app pop up

    If using the Microsoft Authenticator app with App Notifications for Azure MFA requests why can't we also have the Country and App or OS which has triggered the MFA request?

    This will help users from blindly always tapping Approve and also give them more info on what app has requested MFA.

    You can already see this info in the Azure AD sign in and audit logs so why can't it be pushed through to the app pop-ups too?

    185 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    24 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. All Powershell/BASH/script Azure AD join

    For converting BOYD to Azure AD in the field w/o user intervention, we need a way for elevated accounts to be able to perform an Azure AD join of devices via script.... come on, this is the basics...

    Think of it as MDM self-enrollment... if not that, then give us a one-click way for users to self-enroll the device.

    184 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback on this. There are several ways to do Azure AD join (OOBE, bulk enrollment and Autopilot) which provide a richer experience to join devices to Azure AD. We’re continuously working to enhance those, so currently this is unplanned for the near future. Please continue to vote to help us prioritize


    Ravi

  8. Support for 3rd party EMM solutions when requiring device compliance

    We use Airwatch for managing mobile devices. We want to use conditional access policies to ensure the device has been marked as compliant by Airwatch before allowing access to certain applications.

    Currently Azure AD Conditional Access Policies only supports InTune for checking device compliance as described @ https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications#trusted-devices. This should be extended to support 3rd party EMM solutions.

    183 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    36 comments  ·  Conditional Access  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for your feedback. Microsoft is currently working with third party MDM providers to enable this scenario. We will update this thread once we have more information to share.

  9. Provide support for YubiKey / FIDO as the MFA

    Many other services (Google Apps, Facebook etc) now allow this and would be great to have in Azure AD.

    https://www.yubico.com/about/background/fido/

    180 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    19 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. AADB2C: include username in JWT claims

    AADB2C supports either email addresses or usernames for accounts. If a directory uses usernames, you don't get that username as a claim in the JWT. This means an extra trip to Azure must be made to retrieve the username. Please consider including the username in the JWT.

    180 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    27 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  11. Make https://passwordreset.microsoftonline.com responsive design or app for password reset

    It would be nice, if the passwordreset.microsoftonline.com looked great on a mobile device as well as on a PC. It isn't responsive and looks weird on a phone. You have to pinch to see the text and textboxes on the page.

    Alternative Microsoft should consider integrating "Password Reset" / "Lockout" functionality in a new app or the existing Azure Authenticator app. This will notify the user about account lockout and also provide a way for the user to do a quick password reset a device. Of cause the user will need to answer a couple of questions, enter a pin…

    179 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  Self-Service Password Reset  ·  Flag idea as inappropriate…  ·  Admin →
  12. Introspection endpoint for Azure Active Directory

    Hi,
    Times, there will be cases when the user logs out but the token associated with the user on the client doesn't expire and so when the Resource Servers/APIs invoked with these tokens gets serviced/honored. It would be great to have an introspection endpoint with AAD to check the validatity of the token (as mentioned in RFC 7662 https://tools.ietf.org/html/rfc7662) so that all APIs/Resources can leverage it and accept or reject the token instead of creating a custom repository at our end to blacklist these tokens.

    172 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    32 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Thanks for the feedback! We will look into this and share an update when we have more information.

  13. "Change password" policy

    Add a new Azure AD B2C policy that allows a signed-in user to change his or her password. Not the same as password reset.

    166 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →

    We are in the process of planning this feature and hope to have a preview available by the end of november. In the meantime, could you please respond to aadb2cpreview@microsoft.com with your responses to the following questions:

    - If you had a “password change” policy, what kind of information would you like to get back once the policy has been executed?
    - Would you prefer to have a policy that forces you to sign in first, and then asks you to change the password, or one that let’s you do it all on the same page?
    - Would you want an email to get sent out to the user whenever the password is changed?

  14. Utilize AAD Security Groups for Device "Additional Local Administrators" support

    Emulating the Intune Roles method with Assignments, Members and Scopes would be ideal. Also the ability to disable Global Admin access (limit to groups/scopes added).

    161 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Domain Join  ·  Flag idea as inappropriate…  ·  Admin →

    We’re currently working on this capability and will provide an update when it’s done.

    However, instead of expanding the “Additional Local administrators” setting, we will support adding AAD groups to Windows 10 local groups (.e.g Administrators, Remote Desktop Users) via MDM policy and elevate user privileges on logon. This will provide greater flexibility to assign different groups to different devices


    Ravi

  15. Allow more customization of the myapps.microsoft.com portal.

    Would be great if I could forward a subdomain to our myapps.microsoft.com portal. Instead of giving users a the microsoft.com URL, I want to give them one.theblaze.com.

    Second, would be great if there was a newsfeed widget at the top of the portal that could show an RSS feed of company news.

    161 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    35 comments  ·  End user experiences  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks so much for the feedback! Customizations of the My Apps portal for both end users and admins are on our roadmap. This includes providing the ability to re-arrange and group apps and as well as using a customizable domain.

    We are also looking to see if we can enable embedding other components like widgets. We’re still in process of validating options for this.
    Please keep sharing your feedback and ideas around this!

  16. Getting more granular permissions with Graph API and SPO sites

    Do we have any plans to allow Azure AD-registered apps accessing Microsoft Graph APIs (such as SharePoint Online) to have more granular permissions? Can we get SharePoint Online (SPO) to enforce more granular authorization rules based on the app identity and some manifest rules to restrict the site collection for example, instead of Sites.Read.All? I am looking for something like this: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs, but for Azure-AD apps (where we can specify really granular permissions).

    This question is around the ability to customize Microsoft Graph APIs such as SharePoint Online APIs to restrict the site collections that can be accessed by…

    156 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Capture and display a last login date

    When reviewing a user's profile, a last login date for any Azure AD/Office 365 login should be captured/displayed, so that admins can evaluate inactive users for account disable and license recovery.

    153 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Admin Portal  ·  Flag idea as inappropriate…  ·  Admin →
  18. Migrating from Azure MFA Server to MFA Cloud

    Need a migration method for migrating from Azure MFA Server to Azure MFA Cloud, without all our users having to re-register.

    152 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    We are planning to provide a migration path to customers from MFA server to cloud MFA.

    If you are using voice and SMS, you can already use the Authentication methods APIs to migrate the data: https://docs.microsoft.com/graph/api/resources/authenticationmethods-overview

    If you are using the Authenticator app, users can enable Phone Sign-in to authenticate without passwords in the cloud: https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-phone#azure-mfa-server

  19. Add support to Azure AD B2C for the on-behalf-of flow.

    In order for a web API to call another downstream web API as the user, Azure AD B2C needs to support the OAuth on-behalf-of flow.

    According to the following reference, this isn't supported in B2C: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-apps#web-api-chains-on-behalf-of-flow

    I also cannot find this feature on the Azure Roadmap.

    148 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  B2C  ·  Flag idea as inappropriate…  ·  Admin →
  20. Integrate Azure AD PIM with on-premises AD

    Azure AD PIM is a cool feature, and easy to use. The on-premises MIMPAM solution is the exact opposite experience. It requires a lot of infrastructure to be in place, and different skillsets are needed to make it secure. It's simply too expensive and complex for a lot of organizations to use.

    Integrating AAD PIM with on-premises AD would solve these issues. A cloud based solution, paid by usage (license per user).

    146 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  12 comments  ·  Privileged Identity Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base